If the tenant is described as an entity in the graph, then no that's not supported, and the feature request is described in https://github.com/authzed/spicedb/issues/1317 You could certainly implement this with caveats, if you make all entities have a caveat that check the expected tenant_id vs a client provided tenant_id